https://community.splunk.com/t5/Installation/Correlation-search-not-returning-correct-results/m-p/554702#M7490 <P>Hi everybody,</P><P>I have recently enabled a new correlation search in my Splunk ES. This search looks for possible Ransomware file based on their extension. I have Splunk 8.1.4 running on Windows 2016 and Splunk ES 6.4.1. ES Content Update (the app where the search is defined) is at version 3.20.0.<BR />The original search was working good and it detected a suspicious file on one server. Since such file is expected, I put a whitelist in the correlation search just redefining a macro already available.<BR />This is the search:</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | rex field=file_name "(?&lt;file_extension&gt;\.[^\.]+)$" | `ransomware_extensions` | `common_ransomware_extensions_filter`</LI-CODE><P>&nbsp;</P><P>And I redefined the last macro as follows:</P><P>&nbsp;</P><LI-CODE lang="markup">search NOT [ | inputlookup ransomware_ext_file_wl ]</LI-CODE><P>&nbsp;</P><P>The lookup defined contains only one column (file_name) and one row (the file name I want to white-list).</P><P>If I run this search in a search panel, I got no results and this is the expected behavior. But when the search is executed by the scheduler, I always get a result (and a notable event) for such file that I put into whitelist.<BR />It's like the macro is not expanded correctly or the lookup is empty.</P><P>Does anybody have any idea about the reason of getting different results?</P><P>Thanks in advance.</P> Mon, 07 Jun 2021 14:24:53 GMT lpino 2021-06-07T14:24:53Z https://community.splunk.com/t5/Installation/Correlation-search-not-returning-correct-results/m-p/554702#M7490 <P>Hi everybody,</P><P>I have recently enabled a new correlation search in my Splunk ES. This search looks for possible Ransomware file based on their extension. I have Splunk 8.1.4 running on Windows 2016 and Splunk ES 6.4.1. ES Content Update (the app where the search is defined) is at version 3.20.0.<BR />The original search was working good and it detected a suspicious file on one server. Since such file is expected, I put a whitelist in the correlation search just redefining a macro already available.<BR />This is the search:</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | rex field=file_name "(?&lt;file_extension&gt;\.[^\.]+)$" | `ransomware_extensions` | `common_ransomware_extensions_filter`</LI-CODE><P>&nbsp;</P><P>And I redefined the last macro as follows:</P><P>&nbsp;</P><LI-CODE lang="markup">search NOT [ | inputlookup ransomware_ext_file_wl ]</LI-CODE><P>&nbsp;</P><P>The lookup defined contains only one column (file_name) and one row (the file name I want to white-list).</P><P>If I run this search in a search panel, I got no results and this is the expected behavior. But when the search is executed by the scheduler, I always get a result (and a notable event) for such file that I put into whitelist.<BR />It's like the macro is not expanded correctly or the lookup is empty.</P><P>Does anybody have any idea about the reason of getting different results?</P><P>Thanks in advance.</P> Mon, 07 Jun 2021 14:24:53 GMT https://community.splunk.com/t5/Installation/Correlation-search-not-returning-correct-results/m-p/554702#M7490 lpino 2021-06-07T14:24:53Z